CIPL sends a response to the European Fee’s customary contractual clauses for the switch of private knowledge to 3rd nations in accordance with the GDPR
On December 10, 2020, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth forwarded its response to the European Commission’s request to comment on its draft implementing decision on Standard Contractual Clauses (“SCCs”) transferring personal data from a for the processing controller or processor who is subject to the General Data Protection Regulation of the EU (“GDPR”) (ie a data exporter) to a controller or (sub) processor who is not subject to the GDPR (ie a data importer).
The European Commission (the “Commission”) published its draft on November 12th, 2020 updating the SCCs to align them with the GDPR and the requirements of the Schrems II judgment of the Court of Justice of the European Union of July 16th 2020 taken into account. This decision confirmed the validity of SCCs as a transfer mechanism, but required organizations to rely on them to assess the laws of the recipient country on a case-by-case basis to review the effectiveness of the transfer mechanism in ensuring compliance with EU data protection requirements and If necessary, consider additional protective measures and complementary measures.
Once completed, the updated SCCs will replace the existing set and continue to allow organizations to demonstrate adequate safeguards for data transfers to third countries in the absence of an adequacy decision (subject to the requirements of the Schrems II ruling).
CIPL welcomed the opportunity to comment on the draft and highlighted the following points for the Commission:
- The interaction between the SCC and Chapter V of the GDPR (in relation to international transfer) and Article 3 (2) of the GDPR (in relation to their territorial scope) should be clarified.
- The need for Module 4, which aims to cover the delegation from EU processors to non-EU controllers, should be further explored.
- The language and core concepts of the GDPR used in the SCCs should be fully aligned with and consistent with the GDPR.
- The Commission should provide an FAQ document to answer the most common questions about the SCCs.
- The one-year implementation period for the SCC should be extended.
- An adequacy standard should be added in relation to the obligation to challenge applications from third government governments. and
- The provisions of the SCCs that would establish a direct relationship between subprocessors and controllers and / or data subjects should be deleted.
Download a copy of CIPL’s full answer.